This GigaOm Research Reprint Expires Aug 28, 2024

GigaOm Radar for Network Detection and Response (NDR)v1.0

Securing the Enterprise

1. Summary

Today’s IT infrastructure is becoming increasingly elaborate, comprising hybrid cloud and on-premises environments, internet of things (IoT) devices, and third-party providers. As a result, organizations face the almost impossible task of protecting complex environments against all attack vectors. With traditional security solutions—such as firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and security information and event management (SIEM) systems—unable to provide complete protection, new technologies are needed to detect anomalous behaviors and provide investigative capabilities in the event of a network breach.

Also known as network traffic analysis (NTA), network detection and response (NDR) is a modern security solution for mitigating the risk of advanced cyberattacks, such as advanced persistent threats (APTs), data exfiltration, lateral movements, malware activity, and ransomware. Complementing other detection tools, NDR solutions analyze raw network packet traffic or traffic flows, including both north-south traffic between the internet and internal hosts and east-west traffic between internal hosts to identify malicious activity, address low false positive rates, and detect anomalies that other tools using known attack patterns or signatures can’t identify.

Unlike endpoint detection and response (EDR)—which monitors and prevents endpoint attacks—or extended detection and response (XDR)—which collects and correlates data from multiple security components—NDR analyzes network traffic in real time and uses a variety of advanced technologies—such as behavioral analytics and machine learning—to detect unknown malware and any irregular activity that may indicate a cyberattack. Comparing current traffic against a baseline of regular network traffic, NDR solutions continuously monitor the network; correlate events across time, users, and applications; and surface security-relevant context to help mitigate the attack via native capabilities or integration with other security tools or security orchestration, automation, and response (SOAR) solutions.

This GigaOm Radar report highlights key NDR vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating NDR Solutions,” we describe in more detail the capabilities and metrics that are used to evaluate vendors in this market.

This is our first year evaluating the NDR space in the context of our Key Criteria and Radar reports. All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

  • Comprehensive threat detection
  • Non-signature-based threat detection
  • North-south and east-west monitoring
  • Built-in incident response

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

2. Market Categories and Deployment Types

To better understand the market and vendor positioning (Table 1), we assess how well NDR solutions are positioned to serve specific market segments and deployment models.

For this report, we recognize the following market segments:

  • Cloud service providers (CSPs): Providers delivering on-demand, pay-per-use services to customers over the internet, including infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).
  • Network service providers (NSPs): Service providers selling network services—network access and bandwidth—provide entry points to backbone infrastructure or network access points (NAP). In this report, NSPs include data carriers, ISPs, telcos, and wireless providers.
  • Managed service providers (MSPs): Service providers delivering application, IT infrastructure, network, and security services and support for businesses on customer premises, in the MSP’s data center (hosting), or in a third-party data center.
  • Large enterprises: Enterprises of 1,000 or more employees with dedicated IT teams responsible for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-premises data center or a colocation facility.
  • Small-to-medium businesses (SMBs): Small businesses (fewer than 100 employees) to medium-sized businesses (100 to 1,000 employees) with limited budgets and constrained in-house resources for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-premises data center or a colocation facility.

In addition, we recognize five deployment models:

  • Stand-alone hardware sensors: Network data is collected by installing dedicated physical hardware sensors at critical junctions across the network.
  • Embedded hardware sensors: Network data is collected by embedding sensors in network equipment across the network, such as routers or switches.
  • Virtual sensors: Network data is collected by installing dedicated virtual sensors on IaaS platforms or in VMs at critical junctions across the network.
  • Endpoint sensors: Network data is collected by embedding sensors in endpoints across the network, including user devices.
  • Third-party infrastructure: Network data is collected from preexisting third-party infrastructure logs or via packet visibility APIs across the network.

Table 1. Vendor Positioning: Market Segment and Deployment Model

Market Segment

Deployment Model

CSPs NSPs MSPs Large Enterprises SMBs Standalone Hardware Sensors Embedded Hardware Sensors Virtual Sensors Endpoint Sensors Third-Party Infrastructure
Accedian
Arista
Broadcom
Cisco
Corelight
Cryptomage
Cynamics
Darktrace
ExtraHop
Fidelis Cybersecurity
GREYCORTEX
IronNet
Lumu Technologies
NetWitness
OpenText
Plixer
Progress
Stamus Networks
Trellix
Trend Micro
Vectra AI
VMware
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

3. Key Criteria Comparison

Building on the findings from the GigaOm report, “Key Criteria for Evaluating NDR Solutions,” Tables 2 and 3 summarize how well each provider included in this research performs in the areas we consider differentiating and critical for the sector.

  • Key criteria differentiate solutions based on features and capabilities, outlining the primary criteria to be considered when evaluating an NDR solution.
  • Evaluation metrics provide insight into the non-functional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.

Table 2. Key Criteria Comparison

Key Criteria

Intelligent Anomaly Detection Out-of-the-Box Analysis Zero-Network Footprint Integrated Flow Data Historical Forensics Automated Response Managed NDR Regulatory Compliance
Accedian 2 2 2 2 2 3 3 2
Arista 3 3 2 3 3 2 3 3
Broadcom 3 2 1 2 3 2 1 2
Cisco 2 3 1 3 2 3 3 2
Corelight 2 2 2 1 3 2 2 2
Cryptomage 3 2 1 1 2 2 1 3
Cynamics 3 3 3 3 2 2 3 3
Darktrace 3 2 2 2 3 3 1 2
ExtraHop 3 3 2 2 3 2 2 3
Fidelis Cybersecurity 3 2 1 2 3 2 1 1
GREYCORTEX 2 2 2 3 2 2 2 3
IronNet 2 2 2 2 2 3 3 2
Lumu Technologies 3 3 3 2 3 2 3 3
NetWitness 2 2 2 2 3 3 3 2
OpenText 1 2 1 1 2 1 1 2
Plixer 3 3 3 3 2 2 1 1
Progress 2 2 1 3 2 1 1 2
Stamus Networks 1 3 1 2 3 2 1 2
Trellix 2 2 1 2 3 2 1 2
Trend Micro 2 2 1 2 2 2 3 3
Vectra AI 3 3 2 2 3 2 3 3
VMware 3 2 3 2 2 2 1 2
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

Table 3. Evaluation Metrics Comparison

Evaluation Metrics

Flexibility Scalability Visibility Ecosystem Support Vendor Support Pricing & TCO Vision & Roadmap
Accedian 3 2 2 3 3 3 3
Arista 3 3 2 3 3 2 3
Broadcom 2 3 3 3 2 1 2
Cisco 2 3 3 1 2 1 2
Corelight 3 2 3 3 2 1 2
Cryptomage 2 2 3 1 1 3 2
Cynamics 3 3 3 2 2 1 1
Darktrace 2 3 2 3 3 2 3
ExtraHop 3 2 3 3 3 2 3
Fidelis Cybersecurity 2 2 3 3 2 2 2
GREYCORTEX 3 2 3 1 1 2 3
IronNet 2 3 2 3 1 2 1
Lumu Technologies 3 3 3 3 3 3 3
NetWitness 2 3 3 3 3 3 2
OpenText 3 3 2 3 2 3 2
Plixer 3 3 2 2 2 3 2
Progress 2 2 2 2 2 1 2
Stamus Networks 2 1 2 2 2 2 2
Trellix 2 3 3 2 3 2 2
Trend Micro 3 2 3 2 1 1 2
Vectra AI 3 3 3 3 3 3 3
VMware 2 2 2 2 3 2 3
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.

4. GigaOm Radar

This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and feature sets.

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for NDR

It should be noted that Maturity does not exclude Innovation. Instead, it differentiates a vendor enhancing existing capabilities from one innovating by adding new capabilities. Furthermore, with different approaches available for collecting and analyzing network traffic, positioning in each quadrant is determined as follows:

  • Maturity/Platform Play: The vendor’s solution uses physical and virtual appliances to mirror network traffic for deep packet inspection (DPI).
  • Innovation/Platform Play: In addition to using physical and virtual appliances to mirror network traffic for DPI, the vendor’s solution incorporates flow-based metadata analysis and/or third-party data sources.
  • Innovation/Feature Play: The vendor’s solution uses flow-based metadata analysis exclusively.
  • Maturity/Feature Play: The vendor’s solution uses only physical appliances to collect data.

In addition, the length of the arrow (Forward Mover, Fast Mover, or Outperformer) is based on customer adoption and execution against roadmap and vision (based on vendor input and in comparison to improvements made across the industry in general).

As you can see in Figure 1, Arista, Cynamics, ExtraHop, Lumu Technologies, NetWitness, Plixer, and Vectra are recognized as Outperformers. Of these, three (Cynamics, Lumu Technologies, and Plixer) have taken the metadata-only route, while two others (NetWitness and Vectra) have added metadata analysis to their appliance-based solutions. We expect the other Leaders in this space (Accedian, Arista, and ExtraHop) to add flow-based metadata analysis capabilities in the next 12 to 18 months.

Inside the GigaOm Radar

The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.

The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.

The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.

Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.

5. Vendor Insights

Accedian: Skylight Interceptor

Founded in 2004, Accedian is a leader in performance analytics, cybersecurity threat detection, and end-user experience solutions for service providers and mid-to-large enterprises. Accedian’s Skylight platform provides granular end-to-end visibility within multilayer, multicloud, and multivendor networks, protecting the network from zero-day attacks by delivering prioritized, context-rich incidents to help accelerate the detection and response to security threats.

Figure 2. Skylight Interceptor at a Glance

Accedian’s NDR solution, Skylight Interceptor, simultaneously monitors on-premises and cloud deployments, extracting per-packet intelligence to help analyze and correlate sophisticated threats in real-time to speed up the threat triage and evaluation process. After mapping the network and its assets, Skylight Interceptor leverages AI/ML to build a “normal” activity baseline. Representing between one and three percent of all traffic, metadata (such as IP addresses, HTTP, DNS query, or similar information) from north-south and east-west traffic—Layer 2 through Layer 7—is captured, copied, and correlated in real time using physical or virtual sensors deployed as open virtualization application/appliance (OVA) files, containers, or standalone hardware on any segment of the network.

Interceptor has a robust set of signature- and rule-based detections—such as Suricata rules—and AI/ML functionality to detect and identify external and insider attacks, including domain generation algorithm (DGA) detection and traffic spikes. Using behavioral analytics, Interceptor monitors the network and detects anomalous and/or potentially malicious activity that deviates from its learned behavior. Alerts are correlated to create incidents, providing a contextualized view of the attack and alerting users to threats that should be investigated immediately. Moreover, Interceptor leverages the MITRE ATT&CK framework to identify known attack techniques and categorize identified malicious traffic, enabling users to see and classify anomalous traffic as it is identified.

Traffic is analyzed and dynamically correlated in real-time to leverage common network sensors with the Accedian Skylight network performance monitoring and diagnostic platform (NPMD). Moreover, integration with Workato enables Skylight Interceptor to quickly respond to network threats by automatically initiating the response process through seamless integration with multiple systems, SIEMs, SOARs, and ticketing systems.

Skylight Interceptor includes new integrated honeypot technology, enabling users to place lightweight honeypots throughout the network to mimic a desirable vulnerable system. Acting as a tripwire, Interceptor’s honeypots will alert users of malicious activity, allowing them to react quickly. In addition, by leveraging historical data and asset mapping, users can see a history of the attacker’s behavior and respond rapidly to block the attack. Furthermore, users can drill down to see a historical timeline, identifying where the malicious actor went and what they did, such as downloading content, creating a backdoor, or something else.

Strengths: Accedian’s Skylight Interceptor helps organizations proactively identify threats hidden deep within the network and protects the network from zero-day attacks by delivering prioritized, context-rich incidents to speed detection and response. It has a robust set of signature- and rule-based detections as well as AI/ML functionality to detect and identify external and insider attacks.

Challenges: While Skylight Interceptor offers advanced functionality, some users find the user interface complicated. In addition, Accedian should improve Interceptor’s endpoint behavior analytics (EBA) and reduce the number of false positives by leveraging more advanced ML models. Furthermore, security incident reporting is relatively basic, but improvements are planned for upcoming releases.

Arista: Arista NDR

Founded in 2004 and with an installed base of over 8,000 customers (including many of the Fortune 2000), Arista is an industry leader in data center switching. The company has a comprehensive portfolio encompassing Arista campus and data center series switches, Cognitive Wi-Fi, CloudVision (a management, automation, and telemetry platform), and Arista Extensible Operating System (Arista EOS). In September 2020, Arista announced the acquisition of Awake Security, an NDR platform provider that combines AI with human expertise to autonomously hunt for and respond to insider and external threats, renaming it Arista NDR. Arista NDR automatically detects both unmanaged devices and those managed by standard endpoint security or IT management solutions. The platform also visualizes how these two sets change over time, allowing analysts to track the ratio of managed to unmanaged over time.

Figure 3. Arista NDR at a Glance

Arista NDR offers deep network analytics by ingesting data from AVA sensors deployed across the network, including data center, campus, cloud, and IoT workloads and SaaS applications. AVA sensors come in various form factors—embedded in Arista switches and standalone hardware, virtual, and cloud sensors—but operate identically, parsing over 3,000 protocols and processing Layer 2 through Layer 7 data. Existing network switch-based sensors can monitor both north-south and east-west traffic. The platform also analyzes encrypted protocols to identify critical contexts such as the nature of traffic (file transfer, interactive shell, and so on), the applications communicating, and the presence of remote access, all without forcing data decryption. In addition, AVA also eliminates those signals that cannot be corroborated so that human analysts avoid wasting valuable cycles.

Arista’s EntityIQ technology uses the information collected to autonomously profile entities such as devices, users, and applications, translating ephemeral IP addresses into human-readable devices or usernames, speeding up response since analysts don’t have to track down IP addresses manually and can prioritize remediation based on the named device or user. Arista NDR maintains long-term profiles of entities for historical forensics, automatically tracking their activities and making the information available to the AI and other analytics engines built into the platform. This capability improves the efficacy of the AI since behaviors can be tracked consistently over extended periods, even as IP addresses change.

Furthermore, Arista’s Adversarial Modeling Language (AML) uses heuristics with EntityIQ fingerprints and other analytics to identify attackers based on their intent, delivering rich data analysis capabilities and a vocabulary to express attacker tactics, techniques, and procedures (TTPs). Leveraging its multi-dimensional modeling to connect dots across time, protocols, entity behaviors, and kill-chain stage, Arista NDR automates detections with extensible AI-driven models that zero in on the suspicious activity and then gather corroborating evidence to support a conviction. Arista’s models are open and documented like code for customers to adapt, create, or modify.

In addition, Arista offers a managed NDR service backed by Awake Labs analysts with decades of experience responding to some of the world’s most significant breaches, including incidents involving the Bank of Bangladesh, Saudi Aramco, Sony PlayStation, and Target.

Strengths: Arista NDR is a product of the acquisition of award-winning Awake Security in 2020. Targeting large-scale networks and offering integrations with leading hypervisors and IaaS providers for increased visibility for data center use cases, Arista NDR includes a threat-hunting search engine based on a proprietary language to identify attackers based on their intent.

Challenges: Arista NDR is a sophisticated solution as a standard offering with no additional license costs. However, many customers need smaller hardware appliances or only a subset of essential features. Arista’s roadmap indicates smaller form factors of its hardware appliances and a lighter, cheaper version of Arista NDR to be delivered during 2023.

Broadcom: Symantec Security Analytics

Acquired by Broadcom in 2019, Symantec’s enterprise security product portfolio is recognized as an industry leader in endpoint protection and threat detection. Symantec’s comprehensive security portfolio includes several acquired and licensed technologies with various levels of functional and management integration. Symantec’s Security Analytics enables the security operations center (SOC) to quickly detect and respond to security events. Security Analytics offers full-packet capture, next-generation DPI, and indexing technologies, file brokering, advanced malware analysis, real-time threat intelligence, anomaly detection, and alerting capabilities.

Figure 4. Symantec Security Analytics at a Glance

Security Analytics offers swift, targeted responses together with a reconstruction of the activity related to any threat or breach. It does this by combining a complete copy of all traffic going in and out of the network with robust DPI capabilities, identifying more than 3,300 applications and protocols with thousands of descriptive metadata attributes generated, including content types and file names. Developed as a network forensics solution, Symantec Security Analytics records and classifies every packet of Layer 2 through Layer 7 network traffic. Incorporating a variety of analytics tools—such as anomaly detection; complete session, file, and object reconstruction; data visualization; IP geolocation; and root cause, timeline, and trend analysis—it indexes, enriches, and stores all network data to provide complete visibility of network events with clear, actionable intelligence.

Symantec’s integrated hardware appliances, virtual appliances, and cloud offerings enable flexible, easy deployment for enterprise-wide visibility and awareness. Security Analytics sensors are deployed throughout the network to monitor thousands of network segments, including cloud workloads, data centers, remote offices, and virtual networks. In addition, these sensors offer multiple optimized storage options—including onboard storage, direct attached storage, or high-density storage arrays—to accommodate distributed networks, providing historical forensic capabilities to thoroughly analyze an attack or breach from its inception, irrespective of when it occurred. Security Analytics Central Manager, a central management system, provides a single-pane-of-glass view for centrally administering configurations and orchestrating investigations across more than 200 Security Analytics forensic physical, virtual, or cloud appliances.

Security Analytics integrates with best-of-breed network security products—including next-generation firewall (NGFW), intrusion prevention system (IPS), security information event management (SIEM), sandboxing, and endpoint security solutions—to pivot directly from an alert to obtain full-payload details of the event, before, during, and after it. In addition, the open web services RESTful API enables integration with network and endpoint security solutions for providing context to alerts and logs and expediting incident response. Furthermore, when coupled with Symantec SSL Visibility, Security Analytics can examine encrypted traffic to investigate and remediate the full scope of the attack. Intelligence is shared with the Symantec Global Intelligence Network, providing all Symantec customers access to the latest information for automating detection and protection against newly identified threats.

Strengths: Symantec Security Analytics delivers network visibility and forensics for conducting comprehensive real-time and retrospective analysis, enabling customers to protect their workforce swiftly, fortify the network, and improve security processes. The solution is appliance-based and can be deployed anywhere in the network: at the perimeter, in the core, in a 10GbE backbone, at a remote link, or virtually in the cloud to deliver clear, actionable intelligence for swift incident response and resolution.

Challenges: Compared to other NDR solutions, the cost of deploying Symantec Security Analytics may be relatively high due to the need to deploy dedicated hardware. In addition, the service may experience brief periods of unavailability due to regular updates. Customers report that Symantec support can be relatively slow to respond at times, but they also say the reliability and security benefits far outweigh potential drawbacks or costs.

Cisco: Cisco Secure Network Analytics

Cisco Systems, Inc. is a multinational technology conglomerate known primarily for its networking hardware and software. Established in 1984, the company played a critical role in developing internet infrastructure as we know it today. Cisco has an extensive suite of software and cloud-based applications designed to help businesses manage their IT infrastructure more effectively.

In addition, it offers a wide range of security products and services–including firewalls, intrusion prevention systems, and secure access systems–to help businesses protect their data and IT infrastructure. Cisco’s portfolio includes two NDR solutions: Secure Network Analytics (formerly known as Stealthwatch Enterprise) provides on-premises NDR capabilities, while Secure Cloud Analytics (formerly Stealthwatch Cloud Public Cloud Monitoring) is the SaaS version of Secure Network Analytics.

Figure 5. Cisco Secure Network Analytics at a Glance

Secure Network Analytics (SNA) provides enterprise-wide network visibility and protection by offering two different deployment models—on-premises hardware appliances or virtual machines. Initially analyzing network activities to create a baseline of normal network behavior, SNA combines the baseline with non-signature-based advanced analytics—including behavioral modeling, machine learning algorithms, and global threat intelligence—to identify anomalies and detect and respond to threats in real time. SNA quickly detects threats with high confidence, including command-and-control (C&C) attacks, distributed denial-of-service (DDoS) attacks, illicit crypto mining, ransomware, unknown malware, and insider threats. Furthermore, as an agentless solution, SNA provides comprehensive threat monitoring across all network traffic, including encrypted data.

SNA uses a three-tier architecture, with Flow Collector aggregating flows from multiple sensors before sending events to the centralized management console with an optional cloud-hosted analytics engine. In addition to optional components such as the Flow Sensor, the Cisco Telemetry Broker, the UDP (User Datagram Protocol) Director, and the Data Store, Secure Network Analytics requires the following components:

  • Manager: Available as a hardware appliance or a virtual machine, the Manager aggregates, organizes, and presents analyses from up to 25 Flow Collectors, Cisco Secure Network Access (formerly Cisco Identity Services Engine), or other sources.
  • Flow Collector: Besides collecting telemetry from proxy data sources, the Flow Collector collects and stores enterprise telemetry types such as NetFlow, IPFIX (Internet Protocol Flow Information Export), NVM, and SYSLOG from existing infrastructure.
  • Flow Rate License: Required to collect, manage, and analyze flow telemetry aggregated at the Secure Network Analytics Manager, the Flow Rate License defines the volume of flows that may be collected and is licensed based on flows per second (FPS).

Aligning its efforts to bolster its cloud security and XDR strategies, Cisco has converged Cisco Secure Cloud Analytics (SCA) with Cisco XDR to deliver cloud-based security analytics and comprehensive threat detection. By purchasing an SCA/XDR license, a customer can extend their SNA deployment with additional analytics, data sets, and response capabilities. Alternatively, customers can forgo the on-premises SNA in favor of directly purchasing SCA/XDR for NDR and XDR capabilities without the need for a separate on-premises SNA deployment.

Strengths: Combining advanced heuristics, attack chaining, statistical analysis, and threat intelligence with predefined policy-violation and threshold-based rules to detect network and security anomalies, Cisco Secure Network Analytics and Cisco Secure Cloud Analytics provide enterprise-wide visibility—from the private network to the public cloud—to detect and respond to threats in real time. In addition to integrating with many Cisco infrastructure components, such as Cisco’s Identity Services Engine, Cisco is enhancing its SCA and SNA integration with Cisco SecureX to provide centralized monitoring for network and security operations.

Challenges: Secure Network Analytics is designed to work primarily with other Cisco security products, which may limit its ability to integrate with third-party security solutions. In addition, SNA has limited data parsing (NetFlow), only a basic rules engine given the limited data set, and no threat hunting. Configuring and managing SNA has a steep learning curve and requires a high degree of expertise and technical knowledge. Furthermore, while SCA and SNA pricing is slightly different, the cost depends on the number of monitored environments and the volume of collected events, which can quickly add up, limiting deployment to larger organizations seeking an enterprise-grade security solution.

Corelight: Open NDR Platform

Founded in 2013, Corelight offers solutions commonly used for network security monitoring, incident response, threat hunting, and compliance. By capturing and analyzing network data, Corelight enables organizations to understand their network activity better, detect anomalous behavior, and identify potential security incidents. Corelight leverages Suricata, an open-source-based intrusion detection and intrusion prevention system, and Zeek (formerly known as Bro), an open-source network analysis framework, to provide enhanced visibility into network traffic.

Figure 6. Open NDR Platform at a Glance

Corelight Open NDR combines the power of open source and proprietary technologies to deliver an open on-premises or SaaS-based NDR platform incorporating intrusion detection, network security monitoring, and Corelight Smart PCAP solutions. Available as physical and virtual appliances deployed out of band, Corelight sensors can be deployed as on-premises hardware sensors; cloud sensors running in AWS, Azure, or GCP environments; software sensors running on any Linux platform or within containers via a lightweight software binary; as Hyper-V or VMware virtual sensors connected to traffic mirrors via optical taps, packet brokers, or span ports; or native traffic mirroring in cloud environments. Once the Corelight sensors are in place, external packet storage can be configured via Corelight, BYO hardware, or cloud storage.

By reducing the noise from intercepting all data packets moving through the network, Smart PCAP is a highly efficient approach to precise packet capture that links Zeek logs, extracted files, and detections with only the packets needed for an investigation, thereby extending the window for performing historical forensics. One of the world’s most widely used network security monitoring platforms, Zeek transforms network traffic into compact, high-fidelity transaction logs, allowing defenders to understand the activity, detect attacks, and respond accordingly.

Sitting out-of-band—on-premises or in the cloud—Zeek gathers metadata and extracts files as evidence while Corelight fuses the evidence with signature-based IDS alerts from Suricata and proprietary analytics Corelight Collections for input into Corelight Investigator (a SaaS analytics and management console leveraging ML to evaluate north-south traffic patterns)—or any SIEM or XDR platform—to help accelerate identification, risk assessment, containment, and closure. Corelight Collections are targeted categories of detections, inferences, and data transformation—including encrypted traffic, command and control activity, and entity activity—providing deep visibility into adversary activity.

Corelight’s sensor management console, Fleet Manager, enables the management of all sensors via an intuitive GUI, allowing users to create new capture rules at configurable byte depths based on capture triggers such as alerts, protocol type, and encryption status. Packets are retrieved via Corelight Investigator, a third-party SIEM, or by clicking the PCAP URL embedded in the connection log, which opens the packets in Wireshark for further analysis. Primarily rule-based, Open NDR uses its own rules and detection engines for heuristics, combined with complementary rulesets from partners such as CrowdStrike.

Strengths: An alternative to cobbling together proprietary tools and based on broadly distributed and time-tested open source solutions, Open NDR combines the power of both open source and proprietary technologies to deliver an open on-premises or SaaS-based NDR platform that incorporates intrusion detection, network security monitoring, and Corelight Smart PCAP solutions. As Corelight sensors are frequently deployed out of band, Corelight supports a broad ecosystem of technologies, including industry-leading SIEM and SOAR tools. Using Corelight Investigator, security teams can accelerate threat hunting and investigations by mapping threat activity across the MITRE ATT&CK framework to reduce the volume of alerts with intelligent alert scoring.

Challenges: Despite being based on open source, Open NDR is a high-end network security solution and may require specific hardware for some deployments, which can increase costs. In addition, Corelight’s platform is unique because detections and visibility engineering are community-driven, with continuous content creation from Suricata IDS, Zeek, and other intelligence communities. While this community approach may appeal to some users, others may prefer a proprietary solution with a single point of control for threat intelligence. Moreover, despite being easy to install and configure, users report that some technical expertise is required to realize its full potential. Moreover, there is no way to search or reconstruct full packet capture, only meta or basic flow information.

Cryptomage: Cryptomage Cyber Eye

Founded in 2016, Cryptomage offers network anomaly detection and cybersecurity services. Cryptomage’s only solution, Cryptomage Cyber Eye, provides a unique approach to network traffic analysis, combining protocol behavior, packet analysis, and host communications behavior analysis. Moreover, while most security solutions focus only on user and host behavior, Cryptomage Cyber Eye also incorporates unusual low-level network behavior.

Figure 7. Cryptomage Cyber Eye at a Glance

Using custom network equipment based on a proprietary artificial intelligence chip powered by Intel FPGA technology, Cryptomage Cyber Eye provides network-based anomaly detection and prediction powered by low-level network protocols, machine learning, and artificial intelligence algorithms. Analyzing network protocols and host activity in real-time, Cyber Eye detects and prevents breaches by unknown or hidden network traffic, communication, and data (such as when a TCP/IP packet has been intentionally modified to allow illegal botnet operations), enabling security teams to identify, monitor, and triage traffic flows, connections, and potential malicious events.

Cyber Eye provides deep inspection of every network packet—including transported data—with network protocol discovery and validation using proprietary flow metadata formats and ML algorithms for proactive traffic risk-scoring to accelerate triage and resolution. A passive mode option maximizes performance by ensuring operations don’t interfere directly with network traffic. High-risk network traffic is extracted for analyses focused on specific threat levels, while all processed traffic metadata is stored in extended format for faster trend analysis and historical forensics. Cyber Eye provides built-in analytics tools and charts for ongoing event management, risk scoring of each event and host for effectively triaging threats, and configurable event triggers providing control over certain packets or events when needed. In addition, Cyber Eye offers comprehensive event management through integration and export thresholds with NGFW, SIEM, and SOAR solutions.

Cryptomage Cyber Eye includes a dedicated module for enforcing GDPR with personal data leak detection. The module inspects network packets to detect the transmission of personal data—such as personal identity numbers, taxpayer identification numbers, ID card numbers, and international bank account numbers (IBAN)—reports violations, and provides an inventory and evidence (in the form of network traffic dumps) to data protection officers. In addition, the GDPR module uses geolocation to identify both the recipient and sender of all personal data, automatically detecting the transmission of personal data outside the European Union.

Strengths: Designed to integrate and interact with other security solutions to increase threat detection, Cryptomage Cyber Eye offers a unique approach to network traffic analysis, combining protocol behavior detection, packet analysis, and host communications behavior analysis and leveraging advanced AI and ML models to detect a range of cyberattacks. In addition, a dedicated module enforces GDPR by detecting the transmission of personal data and reporting violations to data protection officers.

Challenges: As a smaller vendor with headquarters in Wroclaw, Poland offering GDPR compliance as a critical differentiator, Cryptomage concentrates primarily on the European Union, with limited support for large international deployments. If Cryptomage Cyber Eye is deployed on-premises in environments without an internet connection, updates must be uploaded manually, which may not meet the needs of all users.

Cynamics: Cynamics NDR

Founded in 2019, Cynamics develops next-generation sample-flow-based NDR solutions using standard sampling protocols built into every gateway, eliminating the need for physical or virtual agents or appliances. Combining patented AI-based technology and deep learning technologies, Cynamics autonomously analyzes network Layers 2 through 7 to predict threats and attacks, provides detailed root-cause analyses tracing every attack step to minimize the effort required for manual investigation, and can autonomously close the loop and prevent an attack using auto-mitigation capabilities. Leveraging Cynamic’s next-generation technology, Network Blueprint, Cynamics NDR provides threat prediction and network visibility at speed and scale for networks of all architectures and sizes with minimal burden on network and security resources.

Figure 8. Cynamics NDR at a Glance

An architecture-agnostic SaaS-based solution designed to autonomously detect and analyze traffic patterns for a holistic view of the entire network, Network Blueprint infers comprehensive north-south and east-west network visibility in real time from less than one percent of the network traffic. Small network samples are collected using existing industry-standard sampling protocols and APIs—such as Netflow, sFlow, IPFIX, VPC FlowLogs for AWS and GCP, and NSG for Azure—which are built into every kind of gateway—physical, virtual, or cloud—without deploying any appliances, agents, probes, sensors, switched port analyzer (SPAN) ports, test access points (TAPs), or traffic mirroring in the client network or requiring DPI. In addition, Cynamics NDR is entirely agnostic to encrypted traffic since it doesn’t collect, process, or analyze packet data and payload but only the IP headers’ meta-data fields, using flow pattern inspection instead of DPI.

Furthermore, Cynamics’ patented anomaly detection technology provides pre-trained AI detection models, accelerating protection by eliminating the need to train models from scratch for weeks and months. Leveraging the academically acknowledged concept of auto-encoder losses normalization transfer learning, Network Blueprint transforms loss vectors from different client networks into a similar statistical distribution, detecting and classifying threats in new networks in a generalized way agnostic to the specific client. Self-provisioned onboarding accelerates time to value, reducing the learning curve and enabling meaningful threat detection immediately after onboarding.

Cynamics NDR auto-remediation capability integrates with existing third-party security postures and SIEM and SOAR platforms, promptly addressing threats by sending detailed root-cause analysis and threat mitigation instructions directly to network gateways. Cynamics partners with Merlin Cyber (a robust ecosystem of cybersecurity investment, innovation, and technical expertise) to deliver Cynamics Federal, a secure Cynamics NDR solution deployed within a high-security AWS GovCloud environment built to meet federal data protection standards. Cynamics also enables agencies to comply with regulatory policies, including Federal Information Security Modernization (FISMA) and GDPR. In addition, the company launched a Cynamics MSSP service that lets managed security service providers manage their clients connected via Cynamics.

Strengths: Eliminating the need for appliances, agents, probes, sensors, SPAN ports, or TAPs, Cynamics NDR is a next-generation sample-flow-based NDR solution collecting one percent or less of the network metadata from network gateways or virtual private clouds (VPCs) to provide complete network visibility and threat prediction for even the most complex network environments. As a low-touch SaaS-based solution with pre-trained AI detection models, Cynamics NDR enables meaningful threat detection immediately after onboarding.

Challenges: Cynamics lacks complete coverage for organizations with numerous devices located outside the network. Moreover, despite being a low-touch solution with pre-trained detection capabilities, Cynamics must develop advanced integrations with third-party SIEM and SOAR platforms to streamline the setup of mitigation playbooks based on Cynamics detections. In addition, Cynamics must improve the user interface and create a visual network map showing the relationships from the gateways through the network assets to the endpoints to create an even better user experience. Finally, Cynamic’s pricing model can be somewhat expensive for smaller organizations or those with limited budgets.

Darktrace: Darktrace DETECT/RESPOND/HEAL

Founded in 2013 and a leader in AI-based cyber defense solutions, Darktrace evolved from a collaboration between Cambridge University mathematicians and British Intelligence agencies and is backed by over 125 patents and pending applications. Darktrace leverages proprietary technology to deliver its Cyber AI Loop, an end-to-end set of cyber security capabilities that simultaneously prevent, detect, respond to, and heal cyberattacks in real time. Autonomously detecting and responding to new in-progress threats within seconds, Cyber AI Loop’s always-on feedback system uses advanced AI/ML models to fully understand, protect, and harden the entire security ecosystem, including the network, on-premises and SaaS applications, cloud workloads, email, endpoints, and specialized OT environments.

Figure 9. Darktrace at a Glance

The Cyber AI Loop comprises four AI-powered product families—Darktrace PREVENT, Darktrace DETECT, Darktrace RESPOND, and Darktrace HEAL—that work collaboratively to protect the entire network from external and internal threats. Rather than relying on rules, signatures, fixed baselines, or training data, Darktrace’s core detection engine (powered by the vendor’s proprietary self-learning AI) uses unsupervised learning models to build a dynamic understanding of the constantly changing digital environment and create a unique multidimensional view of the ways users and devices interact, building a baseline of what’s normal to identify previously unknown and unpredictable threats. In addition, the extended detection engine uses various forms of AI—including supervised machine learning—for investigation by the AI analyst.

Based on data collected from network appliances, software sensors, or third-party security products, PREVENT prioritizes and preempts possible entry points and attack paths, highlighting risky and vulnerable assets to DETECT for further analysis. If an anomaly or potential threat is detected, an alert is either sent to the security team or, in specific configurations, forwarded to RESPOND, triggering an autonomous response to slow down or stop the threat, such as isolating a device from the network or restricting its access to specific resources. Closing the AI loop, DETECT analyses and RESPOND actions are fed back into PREVENT to anticipate an attacker’s next move. Automating remediation and recovery planning, decisions, actions, and communications, Darktrace HEAL (generally available later in 2023) will enable organizations to restore assets and systems affected by cyberattacks to trusted operational states through AI assistance.

As an intuitive and easy-to-use graphical interface, Threat Visualizer provides real-time visibility of the entire digital infrastructure, surfacing insights across email, the cloud, and the corporate network in a single pane of glass for simplified cyber threat visualization and investigation. Only the most relevant threats are presented, allowing for incident prioritization, with the option to drill down into any single event in finer detail. Threat Visualizer also enables users to go back to when an incident occurred and witness events as they unfolded.

In addition, Darktrace’s Cyber AI Analyst accelerates time to meaning by fully automating threat investigations for the first time. When Darktrace detects a pattern of suspicious behavior, Cyber AI Analyst launches into an enterprise-wide investigation, collating disparate anomalies before reaching a high-level conclusion about the nature and root cause of the broader security incident. Illuminating the full scope of incidents in real time, Cyber AI Analyst produces a dynamic situational dashboard and written reports, enabling resource-constrained security teams to focus on priority threats.

Strengths: Leveraging advanced AI/ML models and self-learning AI to detect early-stage cyber threats, Darktrace provides a comprehensive enterprise-wide cyber defense, protecting organizations of all sizes and environments, including cloud and email systems, endpoints, zero-trust technologies, and IT/OT networks. Darktrace DETECT and RESPOND accelerates time to detection and response, PREVENT provides contextual awareness of attack paths and the business impact of a compromise, and HEAL provides network incident management capabilities and integrated, dynamic playbooks. With one-click integrations, the platform can instantly ingest new forms of telemetry, share tailored AI insights across established workflows, and interoperate with a wide range of technologies.

Challenges: Darktrace products also require rigorous configuration, management, and tuning to be effective, with customers reporting many false positives generated during the learning phase. Darktrace offers only minimal metadata streaming to data lakes or SIEM/SOAR platforms. Furthermore, while using ML to analyze encrypted data headers and trailers, since users cannot analyze encrypted traffic, threat analysis is source- and destination-based. In addition, customers report Darktrace’s per-endpoint pricing to be confusing, with costs quickly escalating as devices are added to the network.

ExtraHop: Reveal(x)

Founded in 2007, ExtraHop provides AI-based network intelligence to stop advanced threats across cloud, hybrid, and distributed environments. Building on the belief that the network is the immutable source of truth, on-premises ExtraHop Reveal(x) delivers proactive, predictive, and preemptive approaches to network security, offering best-in-class network-level visibility. In addition, the ExtraHop Reveal(x) 360 platform combines the power of cloud-scale AI with the simplicity of SaaS to defend against advanced threats—including APTs, supply chain attacks, and zero days–providing security from core to cloud to edge.

Figure 10. Reveal(x) at a Glance

Parsing more than 70 enterprise protocols and extracting over 5,000 data points about the network behavior of each device, Reveal(x) detects threats faster with cloud-scale machine learning to create a timeline of related detections and accelerate investigation and response into advanced threats, including those targeting cloud workloads and containerized applications. In addition to spotting any unusual behavior or activity, Reveal(x) detects encrypted exploits and post-compromise reconnaissance and lateral movement. Reveal(x) also decrypts traffic to detect stealthy malicious activity and advanced threats living off the land in the target network.

Relying on standalone hardware sensors, virtual sensors powered by DevOps tools of choice, or SaaS partners providing visibility into their environments, Reveal(x) continuously captures and analyses east-west and north-south traffic, covering 90% of network-detectable MITRE ATT&CK techniques and enabling investigation of novel threats and never-before-seen attack techniques. Using covert, out-of-band network observation combined with multiple detection techniques—including AI/ML, heuristics, and signatures—Reveal(x) eliminates blind spots with 100% coverage by discovering every asset and workload communicating across the network, identifying software, operating systems, and any asset accepting internet connections, communicating externally, using cloud services, or behaving in any ways that could introduce risk, without attackers knowing they are being observed.

The Reveal(x) platform conducts continuous full-packet capture, retaining 90 days of transaction records for forensic evidence, enabling the retroactive detection and investigation of long-dwelling threats such as nation-state threat actors and supply chain attacks. Automated retrospective detection automatically applies newly found threat intelligence to past network behavior to ensure no threat was missed. In addition, ExtraHop’s unique decryption capability provides instant access to forensic detail to ensure a fast response to current threats and a thorough investigation of past security events, all while simplifying and streamlining threat hunting. In addition, Reveal(x) enables automated response by integrating with third-party endpoint, SIEM, and SOAR platforms.

Strengths: Reveal(x) provides continuous full packet capture and decryption capabilities across all on-premises, cloud, and hybrid environments with flexible deployments using physical, virtual, or cloud sensors. Offered as an on-premises or SaaS solution, Reveal(x) combines autonomously self-improving cloud-scale analytics with on-box detectors leveraging AI/ML, heuristic, and signature detection techniques to provide comprehensive MITRE ATT&CK framework coverage. ExtraHop’s cloud architecture allows ML improvements to be crowdsourced, enabling learnings from each customer environment to be shared via cloud-delivered model updates. In addition, ExtraHop Reveal(x) integrates with over 60 technology partners, including CrowdStrike, IBM QRadar, Microsoft Protocol Decryption, Microsoft 365, Splunk, and Splunk SOAR.

Challenges: ExtraHop must continue to focus on reducing noise and alert fatigue without sacrificing detection capabilities. Customers report a steep learning curve due to the level of detail available. In addition, upgrading Reveal(x) appliances is a manual process with devices requiring upgrades in a specific order, introducing an element of risk. Furthermore, pricing is module based, so a full-featured ExtraHop Reveal(X) ecosystem—including packet capture and retention—may be beyond the budget of smaller enterprises.

Fidelis Cybersecurity: Fidelis Network

Founded in 2002, Fidelis Cybersecurity offers complete visibility across hybrid environments via rich, dynamic cyber terrain mapping and a multifaceted context and risk assessment platform. Fidelis Cybersecurity’s NDR solution, Fidelis Network, unites real-time and retrospective analysis with data loss prevention (DLP) for network, email, and web traffic, scanning all network traffic bidirectionally—east-west and north-south—to identify threats and signs of data leakage. In addition, Fidelis Cybersecurity created and patented deep session inspection (DSI) technology as a critical capability of Fidelis Network to overcome the gaps in the detection capabilities of traditional DPI tools.

Figure 11. Fidelis Network at a Glance

Collecting data by ingesting it from dedicated physical and virtual sensors, Fidelis Network automatically discovers and continuously classifies all networked assets—building a comprehensive asset map spanning managed and unmanaged systems, shadow IT, and enterprise IoT devices—at wire speed and enterprise scale. Using its proprietary DSI technology, Fidelis Network provides visibility and a unique, patented contextual perspective across network, email, and proxied web traffic. Combining this valuable contextual perspective with machine learning, sandboxing, threat intelligence, and active deception defenses ensures more effective threat detection throughout the entire kill chain—from initial infection through data leakage by malicious outsiders or insiders.

Conceptually similar to endpoint protection, DSI was designed to overcome DPI shortcomings by acting as the host computer to reassemble network traffic into application content. The most rigorous application of DSI technology is on network sensors, which need to identify multiple protocols, applications, and files, including transport protocols (TCP, UDP, ICMP, and others), application protocols (HTTP, SMTP, FTP, TLS, and the like), applications (such as Webmail, Facebook, and LinkedIn), and all file formats including embedded documents (Office documents, PDF, Zip, RAR, and so on). Applied to network choke points, email systems, proxied traffic, and internal data center access points, DSI monitors over 300 network attributes and extracts metadata that can be used as the basis for manual or machine-automated analysis.

In addition to heuristics, signatures, and threat intelligence, Fidelis Network uses supervised and unsupervised machine learning and statistical modeling based on rich metadata to uncover potential threats that are hard to find using traditional detection methods. Combining rich network visibility, multiple detection techniques, incident response workflow automation, and validated alerts with CommandPost (an intuitive management dashboard for creating and editing sensor policies, configuring metadata analytics and automation, and viewing alerts from the connected sensor and collector components) accelerates response times. Furthermore, unifying Fidelis Network with Fidelis Endpoint (an EDR solution detecting endpoint activity in real time) and Fidelis Deception (a low-risk, low-friction cyber alarm system using honeytraps) in a single platform, Fidelis Elevate is an XDR platform that helps organizations detect an attack, respond, and recover faster.

Strengths: Fidelis Network provides deep visibility into networks on all ports and protocols to bolster security operations with proactive and predictive deception techniques spanning networks, endpoints, and clouds. Using a proprietary advanced threat detection algorithm to correlate weak signals, Fidelis Network scores those signals based on the stage of an attack, mapping them to known attack vectors and TTPs from the MITRE ATT&CK framework.

Challenges: Fidelis must expand its network detection and asset protection capabilities by incorporating flow-based metadata and input from third-party solutions to increase threat detection and visibility. In addition, while Fidelis Network responses can be automated via scripts and playbooks, the company needs to provide out-of-the-box automated incident response capabilities for faster threat containment and mitigation. Fidelis Network does not offer managed NDR and is a high-end service best suited for large enterprises.

GREYCORTEX: GREYCORTEX Mendel

Founded in 2016, GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable. Based on ten years of extensive academic and industrial research, GREYCORTEX Mendel is a network detection and response tool that combines advanced artificial intelligence, machine learning, and data mining methods with unique network visibility to visualize network communication, detect risks and threats, and respond quickly and effectively to threats from misconfigurations, performance problems, or policy violations as well as new advanced threats and hacker activities able to bypass existing security tools.

Figure 12. GREYCORTEX Mendel at a Glance

Using physical and virtual appliances and flow-based input from up to one thousand NetFlow sources and external logs, Mendel maintains an up-to-date list of all active services and hosts, leveraging AI/ML-based models to learn and anticipate network behavior for all subnets, hosts, and services on each host, adjusting its network behavior model every hour based on current data. The intuitive user interface allows every device in the network to be viewed in real time, including information about who is using the device, when, how often, with what protocol, and how much data and metadata they are sending and receiving. All traffic not in line with learned behavior models for the current hour of the day and week is reported as anomalous.

Mendel offers several technologies and detection engines, including DPI, IDS, network behavior analysis (NBA), encrypted traffic analysis, network and application performance monitoring, event correlation, and risk assessment. At the same time, Mendel combines specific signatures for the detection of known threats and its own detection signatures to identify approximately 300 types of industrial and critical infrastructure attacks on the most used OT protocols. Risk and correlation analysis combines several detected events into a single incident and assesses the risk ratings of the network, subnets, hosts, and services.

Mendel integrates with existing network security tools—including firewalls, access control systems, and other active security tools—so users can respond to attacks, conduct investigations, manage all incidents, and block malicious communications from a single interface. Incident management features allow several analysts to either work on an issue simultaneously or balance the workload within the team. In addition, GREYCORTEX Mendel’s industrial control system (ICS) module is an advanced industrial IDS based on DPI of ICS and supervisory control and data acquisition system (SCADA) traffic, detecting both common and undocumented cyberattacks, behavioral anomalies, vulnerabilities, and misconfigurations in IoT, IIoT, and OT networks. Mendel can export flow data and events to the SIEM for further investigation, with analysts able to return from the SIEM to Mendel for more details using just one click.

Strengths: Using flow-based and content-based monitoring, GREYCORTEX Mendel is an NDR tool that visualizes network communication among all connected devices, distinguishing between machine and human behavior, analyzing network traffic, and detecting malicious activities and advanced threats. Mendel enables system analysts to investigate operational and security events, find their root causes, and respond to mitigate them quickly and effectively. Mendel’s ICS module offers deep visibility into ICS/SCADA networks, protocols, assets, and related vulnerabilities, combining threat detection and policy monitoring to ensure the security of any industrial network. GREYCORTEX also offers managed services for smaller teams.

Challenges: Headquartered in Brno, Czechia, GREYCORTEX is a small company primarily focused on delivering solutions to customers in the European Union, with limited support for large international deployments. While accepting regular client feedback and making changes to the Mendel AI/ML models, GREYCORTEX lacks access to the threat intelligence feeds available to some of its larger competitors.

IronNet: Collective Defense Platform

Founded in 2014 by General (Ret.) Keith Alexander, the former Director of the United States National Security Agency (NSA) and the founding commander of United States Cyber Command, IronNet employs several former NSA cybersecurity operators with offensive and defensive cyber security experience to integrate deep tradecraft knowledge into the IronNet Collective Defense platform. As an early warning system, the Collective Defense platform leverages advanced AI-driven capabilities to detect and prioritize anomalous activity inside individual enterprise network environments. Powered by AWS, the platform analyzes threat detections across the community to identify broad attack patterns. It provides real-time anonymized intelligence back to all community members, alerting them to potential attacks.

Figure 13. Collective Defense Platform at a Glance

Integrating best-in-class behavioral analytics to stay ahead of ever-changing TTPs used by both nation-state adversaries and cyber-criminal organizations, IronNet’s Collective Defense Platform includes two core components, IronDefense for detection and analytics and IronDome for threat intelligence.

Using network packets, network flow records, and input from third-party platforms (with new sensors auto-commissioned and auto-upgraded without requiring interaction from SOC staff), IronDefense improves visibility and detection across enterprise cloud, virtual, and on-premises infrastructure. Working seamlessly with AWS and Azure, IronDefense detects stealthy threats using advanced behavioral detection techniques, automatically acquiring contextual data and applying security playbooks to the triage and risk analysis for speedy resolution. IronDefense integrates with CarbonBlack and CrowdStrike endpoints and SentinelOne EDR to create and update network inventory and isolate a device remotely via the IronDefense user interface.

IronDome is an automated solution enabling participants to automatically share real-time detections, triage outcomes, threat indicators, and other insights with other Collective Defense group members. Automating real-time knowledge sharing for faster threat detection, IronDome applies proven AI/ML techniques and advanced analytics to anonymize participant data to identify stealthy, sophisticated threats that an individual enterprise and signature-based tools might otherwise miss. Delivering near real-time visibility of cyber threats targeting supply chains, industries, regions, or any custom Collective Defense grouping, IronDome enables organizations to collaborate with others across industries and sectors to stay ahead of evolving threats by sharing intelligence of advanced or unique attacks as they unfold.

A new solution announced in November 2022, IronRadar proactively and automatically updates customer cybersecurity tools to detect and block malicious indicators of adversarial unknown command and control infrastructure as they are being set up. Using a unique fingerprinting process developed by IronNet analysts, IronRadar tracks the creation of new malicious infrastructure to detect post-exploitation toolkits, vulnerability scanners, and remote access trojans (RATs), providing security operations, incident response, and cyber threat intelligence teams with everything they need to quickly detect C2 servers before they are used in an attack.

Strengths: Using AI and ML techniques, IronNet delivers broad network visibility while facilitating real-time collaboration within a community of peers to better inform—and speed up—response. Offering a holistic enterprise defense, IronNet supports AWS, Azure, and private enterprise clouds. Security teams can now gain access to IronRadar through a free trial being offered on AWS Marketplace. IronNet’s tiered, per-user pricing offers increasing capabilities (log-based behavioral detection and collective defense; network detection and response, collective defense, and reporting; and network detection and response, collective defense, reporting, cyber hunt, and enhanced services) aligned with requirements and budget.

Challenges: IronNet financial struggles are impacting operations, with key metrics (annual recurring revenue, customers, and calculated billings) all substantially down in the last quarter. While long-term shareholder C5 Capital and other investors have provided more than $20 million in senior secured debt in recent months, a near-term Chapter 11 filing might be in the cards. Potential customers should verify the financial stability of IronNet before engaging.

Lumu Technologies: Lumu

Founded in 2019, Lumu is a cybersecurity company that helps enterprises identify and isolate cyber-compromise in real time by enhancing and augmenting existing defense capabilities using actionable intelligence. Enabled by Lumu’s patent-pending Illumination Process, Lumu’s Continuous Compromise Assessment model collects, normalizes, and analyzes a wide range of network metadata, including DNS, NetFlows, proxy and firewall access logs, and email, providing in-depth insights into the behavior of the enterprise network. The network is mapped and given a vocabulary (domain, IP address, or URL) to describe communication paths with anomalies identified across that vocabulary.

Figure 14. Lumu at a Glance

Eliminating the need to deploy physical appliances that identify threats only when critical assets are under attack, Lumu customers can deploy unlimited virtual sensors—Lumu Virtual Appliances (LVAs)—to provide complete visibility across the entire attack surface, enabling attacks to be detected in their early stages. LVAs collect and process network metadata using standard or proprietary event formats, including common event format (CEF), log event extended format (LEEF), and Syslog formats. Lumu provides a custom collector API for pre-existing third-party infrastructure logs and out-of-the-box integrations with cloud (AWS, Azure, and GCP) or SaaS infrastructures (Cisco Umbrella, Forcepoint, Netskope, and Zscaler). In addition, Lumu detects malicious activity originating via email and spam through integrations with Google Workspace and Microsoft Office 365.

As part of Lumu’s Illumination Process, the collected network metadata is correlated in real time with known indicators of compromise (IoCs) from more than 83 threat intelligence sources, including Lumu’s alliance with Malware Patrol and Virus Total. AI/ML and heuristic inference engines then process the correlated metadata to identify anomalous behavior. Rather than immediately triggering alerts, anomalies of interest go through a deep correlation process to measure the technical distance between the anomaly and the cluster of known IoCs. Alerts are generated upon the identification of matching data and immediately reported to the customer.

Lumu’s solution portfolio includes Lumu Insights, Lumu Defender, and Lumu for MSPs:

  • Lumu Insights: Supporting an unlimited number of LVAs and one year of incident retention, Lumu Insights identifies network threats in real time and provides detailed context about which assets have been compromised, when it happened, how it happened, and the best way to respond.
  • Lumu Defender: Providing the same network monitoring as Lumu Insights, Lumu Defender adds the ability to block malicious activity using the existing cybersecurity stack and playback for up to two years of network metadata to identify previous contact with a newly identified malicious IoC.
  • Lumu for MSPs: Lumu for MSPs enables MSPs to enhance their security offerings and implement an NDR strategy for SMB clients. Lumu for MSPs leverages Lumu’s continuous compromise assessment capabilities to develop efficiencies in an MPS’s security practice and grow revenue.

While not dependent on the availability of a SIEM tool, Lumu adds a critical layer to a security strategy by providing conclusive compromise intelligence without interrupting existing processes.

Strengths: Deployed within minutes—or hours, depending on the size of the network, Lumu enables organizations to detect and respond to north-south and east-west attacks across all types of assets without having to deploy physical sensors or tapping and decrypting network traffic, resulting in a reduction of dwell time and the illumination of blind spots that bad actors could otherwise leverage. Adversarial tactics are identified based on the MITRE ATT&CK matrix, with Lumu able to infer adversarial status to a bad actor interested in a protected client. Using virtual appliances, gateways, or custom collectors and retaining incident data for 45 days, Lumu Free is a limited visibility offering that helps potential customers try out Lumu’s Continuous Compromise Assessment model.

Challenges: While currently offering over 80 out-of-the-box and API integrations, Lumu must provide additional integrations, making it as easy as possible for customers to integrate with existing solutions in just a few clicks. Moreover, the product’s features are not always reflected in customer reports. Lumu needs to improve the customization of reports to ensure every feature is clearly understood and its value evident for customers, especially non-technical personnel. In addition, Lumu should simplify deployment and integration with customers’ cybersecurity stack.

NetWitness: NetWitness Network

Initially conceived as a US intelligence agency research project in 1997, NetWitness delivers comprehensive and highly scalable threat detection and response capabilities based on a unified data architecture. Using a combination of in-house, open-source, and easily customizable network parsers, NetWitness Network offers full packet capture and detection with comprehensive network visibility, flexible response actions, and deep packet forensics across on-premises hardware, virtual software, major cloud providers, or any hybrid combination. In addition to analyzing all standard network protocols, customers can quickly build their own parsers for specialized or proprietary protocols.

Figure 15. NetWitness Network at a Glance

Collecting traffic information from flow data (NetFlow/IPFIX) and packet capture or PCAP files, physical and virtual sensors, and third-party secure service access (SSA) applications, NetWitness can be deployed as a scalable on-premises offering or as a cloud-based SaaS model, capturing north-south and east-west traffic in real time. NetWitness supports a wide range of customers and use cases, including high-security, air-gapped installations requiring local to high-demand workloads offloaded to a burstable, elastic cloud system using a shared pool of anonymized data.

As NetWitness ingests data, it also enriches it in real time with human-readable and easily navigable contextual information that can be used throughout the detection and investigation lifecycle. Used by all downstream detection techniques, the enriched data includes business and technical context, geolocation data, MITRE ATT&CK mapping, and threat intelligence from NetWitness FirstWatch. Using simple data feeds and STIX/TAXII, customers can add customized enrichment data to speed up searches and simplify point-and-click navigation and threat hunting that can then be operationalized for additional automatic detection.

A model of the enterprise network is created by automatically detecting and profiling assets, such as servers and user systems, and collecting all asset communications and specific traffic patterns over a time period and then using them as a baseline reference from which to detect and alert on unexpected changes in usage or behavior of that asset. Applying unsupervised techniques to the underlying unified data architecture and data model, NetWitness uses multiple layered detection techniques, including machine-learning-based user and entity behavior analytics, network signatures, and real-time, rule-based, time-aware correlation capabilities to identify anomalous behavior and detect known and unknown threats, relieving security operations staff of the demanding and time-consuming task of overseeing the learning process.

NetWitness Network includes over 150 out-of-box integrations, with the option of creating additional integrations via a REST API and SDK. In addition, NetWitness’s portfolio includes NetWitness Insight (asset discovery, classification, and profiling), NetWitness Logs (tightly integrated log collection, detection, and response), NetWitness Orchestrator (integrated orchestration, automation, response, and threat intelligence management), and NetWitness Respond (a built-in incident management tool). Moreover, NetWitness Network can be deployed as a managed security solution or managed detection and response offering for organizations preferring to outsource some or all of the administrative and/or investigative burden.

Strengths: NetWitness Network provides comprehensive network visibility, detection, forensics, and response and can be deployed equally to observe inbound/outbound packet traffic, internal traffic, or a combination of the two. NetWitness offers a comprehensive suite of real-time detection capabilities without having to sample, collect, and retain all information for both immediate detection and later investigation, hunting, and forensic reconstruction. In addition, depending on the use case, customers can choose between a full-packet or metadata-only licensing model to limit costs while still taking advantage of the detection capabilities.

Challenges: NetWitness must simplify administration and eliminate overhead by adding centralized policy-based administration to allow configurations to be easily deployed to groups of sensors. In addition, NetWitness must expand its analytics and selective data retention capabilities for threat analysis and compliance by implementing a horizontally scalable data lake or datastore solution with simple structured query language support for investigation and reporting.

OpenText: OpenText Network Detection & Response

Founded in 1976, OpenText acquired Bricata in November 2021, complementing Bricata’s deep-visibility NDR solutions with the power of OpenText Security Cloud to provide increased customer protection. Moreover, the combination of Bricata’s NDR technology and OpenText’s EDR, digital forensics, and incident response solutions enables security teams to gain 360-degree visibility of their environments to detect threats, conduct root cause analysis, and restore systems to a trusted state. In January 2023, OpenText completed the acquisition of Micro Focus, boosting its information management and security capabilities.

Figure 16. OpenText Network Detection & Response at a Glance

Capturing traffic via physical and virtual sensors and third-party infrastructure (PCAP), OpenText Network Detection & Response (previously Bricata Network Detection and Response) fuses detection, forensic analysis, and proactive threat-hunting to provide high-performance enterprise security teams complete visibility. Horizontally scalable with the ability to monitor and apply policies to any network segment for accurate east-west analysis, the solution offers signature inspection, stateful anomaly detection, and machine-learning-powered malware conviction to quickly defend against both known and unknown threats.

OpenText Network Detection & Response leverages CylanceINFINITY for ML-based malware analysis, open-source Suricata for network analysis and threat detection, and open-source Zeek’s AI/ML signature-based detection engines for network traffic analysis, visibility, and context, enabling network-baselining, host and service profiling, passive inventory collection, anomaly detection and threat hunting, and policy enforcement. While Suricata identifies signature-based attacks, Zeek provides the metadata and context necessary to successfully triage Suricata alerts to create detailed timelines of the entire threat landscape. OpenText NDR offers over 50 metadata feeds for additional threat hunting, and it can ingest data from visibility partners with Gigamon and Ixia. Third-party data feeds can also be integrated via OpenText’s restful API and data export functionality.

In addition to an intuitive user interface providing a seamless customer experience, OpenText Network Detection & Response includes a full-fledged restful API for programmatically interacting with external systems. Moreover, OpenText offers a rich technology stack—including SIEM and SOAR—based on both legacy OpenText Enterprise initiatives and the acquisition of Micro Focus in January 2023. In addition, OpenText NDR operates on AWS, Azure, and GCP.

OpenText’s portfolio includes EnCase Endpoint Security, EnCase Endpoint Investigator, and Managed Extended Detection and Response (MxDR). Tackling the most advanced internal or external endpoint attacks, EnCase Endpoint Security enables security analysts to quickly detect, validate, analyze, triage, and respond to incidents. EnCase Endpoint Investigator allows digital forensic investigators to discreetly collect and analyze court-accepted evidence from computers, the cloud, and mobile devices. In addition, Managed Extended Detection and Response services use advanced workflows—correlating information from across endpoints, networks, the cloud, and other sources—to detect unknown threats, investigate and prioritize alerts, and allow internal teams to focus on operations.

Strengths: Deployed in any physical, virtual, or cloud environment, OpenText Network Detection & Response encompasses detection, forensic analysis, and proactive threat-hunting to provide complete 360-degree visibility. By combining signature inspection and stateful anomaly detection to defend against known and unknown threats, the solution delivers full context for direct answers via an intuitive web GUI, empowering organizations to take immediate action. Moreover, while the integration of Micro Focus and OpenText technologies is still in its early stages, the combination has the potential to provide new capabilities for managing increasingly complex digital and hybrid infrastructures.

Challenges: While OpenText Network Detection & Response primarily provides signature-based detections and high-fidelity metadata for further analysis, it currently lacks support for advanced non-signature-based threat detections, streaming analytics, historical modeling, and NDRaaS. In addition, the solution offers limited native functionality for cloud capture without the use of external tools. Support for these features is expected to be available in early 2024. While the merger of Micro Focus and OpenText has upside potential, prospective customers should be aware that the growth of both companies has historically lagged behind the industry.

Plixer: Plixer Enterprise Platform

Founded in 1999, Plixer is a global provider of network traffic analysis and observability solutions. Plixer is best known for Scrutinizer (now part of the Plixer Core Platform), a network traffic analysis system that captures, displays, and reports on data from a wide range of network devices to help organizations monitor network behavior, identify unusual patterns, and diagnose potential problems. The Plixer Enterprise Platform—based on Scrutinizer and using the same sensors for data collection—enables high-capacity network flow collection, threat detection, incident response, and forensic analysis, providing organizations with comprehensive network traffic analysis and cybersecurity insights.

Figure 17. Plixer Enterprise Platform at a Glance

As a flow-based solution, Plixer’s platform ingests, analyzes, correlates, and contextualizes network-related data and metadata from a broad range of hybrid data sources spanning multiple domains (or IT asset classes) such as endpoints, identities, and network. Comprehensive Layer 2 through Layer 7 visibility (and context for root cause analysis or RCA) provides both internal and external threat detection without the need to deploy and maintain expensive packet processing solutions. In addition, Plixer provides optional probes that can be deployed to address specific customer needs (for example, creating flow data from raw network traffic in rare cases where flow exporting devices are not present). Acting as a layered threat detection backstop to drive desired protection level outcomes, the telemetry can also be used to verify the proper configuration and operation of existing network and security controls and posture management.

The Plixer Enterprise Platform collects and contextualizes information from network locations in physical, virtual, and cloud environments, monitoring north-south traffic that crosses the enterprise perimeter and east-west communications to provide complete network visibility and detection of attackers as they move laterally within the network. In addition, the platform allows single hosts or entire subnets to be monitored from multiple levels in the network. Using intelligent deduplication capabilities, alarm data is accurate and trimmed down to only what users need to see.

The platform supports analytics using threshold-based analytic algorithms, supervised and unsupervised machine learning, and deep learning combined with user-definable detection sensitivity thresholds, baselined seasonality, customizable modeling dimensions (including protocols like remote desktop or RDP), encrypted traffic analytics (ETA), MITRE ATT&CK framework mapping, threat intelligence feed integration (via STIX/TAXII), and detection transparency of ML models. In addition, Plixer can automate responses via a REST API or, in some cases, via native integrations, such as isolating a suspicious endpoint via integration with Microsoft Defender. Moreover, Plixer uses DNS data exfiltration, FQDN tracking, JA3/JA3S fingerprinting, and malware detection using supervised machine learning to deliver encrypted traffic analysis capabilities, with plans to provide additional capabilities during 2023.

Strengths: Leveraging available telemetry from the existing IT infrastructure to glean readily available insights, the Plixer Enterprise Platform complements and extends the detection capabilities of the current security infrastructure and tools, providing comprehensive Layer 2 through Layer 7 visibility, all without needing to rip and replace existing IT investments. Plixer supports an array of detection techniques—including threshold-based analytic algorithms, supervised and unsupervised machine learning, and deep learning—enabling the platform to identify sophisticated attacks, such as potential poisoning (evasion) of machine learning that other platforms may not recognize. Plixer also includes the ability to stream data via Kafka to customer-managed security data lakes for further analysis.

Challenges: While VPC flow logs are currently used as a data source, the Plixer Enterprise Platform lacks support for monitoring cloud workloads and services, such as containers and microservices. In addition, Plixer must improve support for MSP customers, including centralized dashboards, centralized administration, automated provisioning, and billing. Moreover, the platform is being revamped to support technologies such as Terraform and Kubernetes to optimize cloud deployments. While these items are either in development or on the roadmap, prospective customers should verify the delivery timeframes.

Progress: Flowmon NDR

Originally founded in 2007 by a team of researchers based on a technology transfer from CESNET, Flowmon Networks was acquired by Progress through the acquisition of its parent company, Kemp Technologies, in November 2021. Progress’ Flowmon NDR solution comprises Flowmon Collector, which analyzes and stores network telemetry, and Flowmon Anomaly Detection System (Flowmon ADS), a software module installed on the Flowmon Collector to provide NDR capabilities using network flow records and service logs for detection and analytics. In addition, optional Flowmon Probe sensors can be deployed to monitor network traffic and export enriched network telemetry in IPFIX format, with optional Flowmon IDS Probes using Suricata for signature-based detection using community rules with the option for customers to purchase commercial rule sets.

Figure 18. Flowmon NDR at a Glance

Flowmon Collector is a stand-alone physical or virtual appliance (deployed on Hyper-V, KVM, AWS, Azure, or GCP) for the collection, long-term storage, and analysis of flow data (IPFIX, NetFlow, sFlow, and other NetFlow-compatible standards) from flow-enabled devices, Flowmon Probes, or other flow sources. While a centralized management and configuration console provides consolidated data aggregation and visualization for all units, each Flowmon Collector is equipped with the Flowmon Monitoring Center (FMC) for complete visibility into network traffic via dashboards with the possibility to drill down into any traffic. Moreover, as an integrated telemetry storage solution, Flowmon Collector offers threat hunting as a native capability.

Flowmon ADS combines multiple ML-powered detection mechanisms to identify malicious behavior, attacks against mission-critical applications, and data breaches at any point of the threat’s lifecycle, allowing it to uncover unknown and insider threats even in encrypted traffic. Flowmon leverages over 40 methods and more than 200 algorithms, including machine learning, behavior analysis, MISP threat intelligence, IoCs, and reputation databases, with automated packet capture available on demand. In addition, ADS leverages external threat intelligence feeds, IDS signatures, and community blacklists.

The Flowmon GUI provides context-rich visualization with drill-down analysis immediately at hand. Incidents are ranked according to severity with an easy-to-use customization wizard that builds on proven out-of-the-box configurations. In addition, Flowmon can be integrated with network access control, authentication, firewall, or other immediate incident response tools with a fully documented and supported REST API available to develop integrations and additional capabilities.

In addition, Flowmon Packet Investigator (FPI), a network traffic auditing tool that automatically records and analyzes complete packet data, enables on-demand full packet capture and analysis capabilities to be added to Flowmon. Combining automated packet capture (PCAP) analysis and built-in expert knowledge, it provides an instant deep understanding of emergent issues and offers suggestions for remedies. Furthermore, FPI can also be triggered when Flowmon ADS detects an anomaly, with the built-in memory buffer in the Flowmon collector capturing the relevant packets for forensic analysis.

Strengths: Flowmon integrates network operations and security operations in a single system with the ability to duplicate and forward flow data to multiple destination systems in parallel, including format conversion. Moreover, Flowmon leverages IPFIX flow technology—with the option to trigger on-demand full packet capture—that stores a small amount of data compared to traditional packet-based solutions, providing a highly scalable solution for enterprises and SMBs without a corresponding cost increase. In addition, one Flowmon Collector can process up to 400,000 flows per second, while Flowmon ADS can process up to 100,000 flows per second, per appliance with horizontal scaling under the control of a single management console.

Challenges: Flowmon must improve its encrypted traffic analysis capabilities, including distinguishing malicious encrypted connections by correlating information from different communication channels and automatically collating it using AI-powered algorithms. In addition, Flowmon must improve the correlation of complex events into high-level incidents, providing genuinely actionable intelligence and empowering security teams to prioritize threats according to business impact to reduce threat hunting time, sensitive data loss, and overall breach impact.

Stamus Networks: Stamus Security Platform

Founded in 2014, Stamus Networks is a global provider of high-performance network-based threat detection and response systems, helping enterprise security teams accelerate their response to threats with solutions that uncover severe and imminent risks from cloud and on-premises network activity. Evolving from a next-generation intrusion detection system/network security monitoring platform into an NDR solution, the Stamus Security Platform (SSP) supports a range of use cases relying on advanced network traffic inspection, including the detection of malware, ransomware, unauthorized activity, shadow IT, and threat hunting.

Figure 19. Stamus Security Platform at a Glance

The Stamus Security Platform is an open network-based threat detection and response system delivering actionable network visibility and broad-based threat detection. Built on top of the widely deployed Suricata network detection engine, SSP provides DPI, flow and protocol logging, packet capture, file extraction, and signature-based detection. Available in two license tiers, Stamus Network Detection (ND) includes basic Suricata detection, triage, and threat hunting, while Stamus Network Detection and Response (NDR) adds customizable threat intelligence, automated high-fidelity threat prioritization and notification, ML-based analytics, and asset-oriented insights.

Deployed in private clouds, public clouds, on-premises, or hybrid environments, SSP comprises multiple Stamus Network Probes and a Stamus Central Server, each playing a critical role in scaling the system. Stamus Network Probes capture flow data, full packets (PCAPs), and network protocol transactions, inspecting and analyzing network traffic using DPI to perform real-time threat detection. Each probe enriches identified events with extensive metadata before delivering the data to the Stamus Central Server for additional analytics, processing, and more layers of threat detection.

The Stamus Central Server provides centralized probe management, third-party threat intelligence and rulesets, consolidated event storage, and a central integration point. Incorporating an additional layer of machine learning and algorithmic threat detection, the central server provides automated event triage enabled by tagging and classification. Unlike SaaS solutions and appealing to highly regulated organizations concerned about shipping their logs into an uncontrolled vendor data center, the Stamus Central Server can be deployed in an entirely air-gapped installation, a corporate colocation facility or data center, or a public cloud environment.

Furthermore, the Stamus Central Server provides a powerful threat-hunting and incident investigation user interface, collecting up to 4,000 data fields for every threat indicator and making it available to security analysts. In addition, all data generated by the Stamus Security Platform—including alerts, events, host insights, and protocol transactions—can be exported and shared with any SIEM or SOAR system.

Strengths: Providing algorithmic anomaly detection, heuristics, machine learning, and classic signature-based and IoC matching threat detection based on DPI-derived protocol transactions and flow records, Stamus Security Platform preserves the best features of IDS, NSM, and NDR while eliminating the weaknesses. Moreover, for organizations looking for a turnkey deployment experience, Stamus offers a family of integrated network appliances optimized for and preloaded with the Stamus Network Probe or Stamus Central Server software.

Challenges: Stamus must improve its anomaly-based threat detection capabilities, including ML-based techniques such as host posture change detection, DNS tunnel detection, newly seen suspected malicious metadata, host outlier detection, and host attribute popularity detection. The user experience also needs to be improved by reducing the volume of data presented in the SSP analytics console, along with the addition of executive-level features, including suspicious activity roll-ups, attack surface dashboards, and more complete and exportable incident reports and supporting evidentiary files. Stamus Networks has no plans to offer a managed NDR service.

Trellix: Trellix Network Detection and Response

Founded in January 2022 following the merger of security vendors FireEye and McAfee Enterprise, Trellix is a cybersecurity provider focused on developing an XDR platform protecting applications, data, and users across all platforms, including endpoints and cloud or on-premises infrastructure. Delivering device-to-cloud security spanning multicloud and on-premises environments, Trellix’s portfolio includes collaboration, cloud, data, endpoint, and network security solutions leveraging common analytics and threat intelligence capabilities.

Figure 20. Trellix Network Detection and Response at a Glance

Comprising Trellix Network Security (formerly FireEye), Trellix Intrusion Prevention System (formerly McAfee Network Security Platform), and Trellix Network Forensics, Trellix NDR can be deployed either as a stand-alone solution ingesting data from its own physical or virtual sensors or as an add-on to an existing Trellix deployment. Complementing statistical analysis with heuristics, IDS signatures, supervised and unsupervised machine learning, and threat intelligence, Trellix NDR analyzes DNS logs, flow records, and network packets to detect threats.

Automatically spotting suspicious network behavior and preventing attacks that elude traditional signature- and policy-based security, Trellix Network Security combines multiple AI, machine learning, and correlation engines to detect and respond to advanced threats and lateral movements in minutes. In addition to analyzing web shell traffic, determining what the web shell is doing, when it is active, and what devices are being used, customers can enable SmartVision mode to detect suspicious lateral movements within an enterprise network between clients and network devices communicating over the Server Message Block (SMB) protocol. SmartVision mode can be deployed in different ways to best meet network designs and requirements, enabling incident responders to quickly identify an attack in progress and begin an investigation.

Trellix Intrusion Prevention System (IPS) integrates with the Trellix Multi-Vector Virtual Execution (MVX) engine and Trellix Intelligent Sandbox technology to facilitate the detection and prevention of malware, protecting against known zero-day and near-zero-day malware without compromising the quality of service for network users. Detecting zero-day, multiflow, and other invasive attacks, Trellix MVX is a signature-less, dynamic analysis engine that inspects suspicious network traffic to identify attacks that evade traditional signature-based and policy-based defenses, stopping the infection and compromise phases of the cyberattack kill chain by identifying never-before-seen exploits and malware.

Accelerating the network forensics process with a single workbench that simplifies investigations and reduces risk, Trellix Network Forensics pairs fast, lossless network data capture and retrieval with centralized analysis and visualization. Trellix investigation analysis appliances provide real-time indexing of all captured packets using time stamps and connection attributes, enabling analysts to review specific network packets and sessions before, during, and after an attack. In addition, automated processes identify data theft, using proprietary algorithms to diagnose potentially anomalous network behavior.

Strengths: Trellix Network Detection and Response provides advanced detection of targeted attacks, inline mitigation capabilities, and various deployment modes tailored to meet the needs of the enterprise. Events are correlated across multiple security vectors—including email and endpoint—for end-to-end protection using AI, machine learning, and correlation engines to monitor attacks around the clock with low false positive rates. Contextual intelligence allows SecOps staff to quickly and accurately resolve incidents, with automated alert-response workflows speeding up time to resolution.

Challenges: Trellix Network Detection and Response lacks device and user mapping, including support for multiple secure sockets layers (SSLs). In addition, Trellix must enhance the sandboxing feature to dynamically adjust a policy based on score. Users report limited integration with third-party firewalls and proxies, and contacting Trellix support often entails long wait times.

Trend Micro: Network One

Founded in 1988, Trend Micro is a multinational cybersecurity software company developing content security and threat management solutions for businesses, governments, and consumers. In addition to protecting against a wide variety of cybersecurity threats—including advanced persistent threats, malware, and ransomware—Trend Micro’s portfolio encompasses hybrid cloud security, network defense, user protection, and security services leveraging advanced AI, ML, and security analytics techniques to detect, block, and mitigate specific cyber threats and targeted attacks.

Figure 21. Network One at a Glance

Ingesting data from hardware and software sensors, firewall logs, Trend Micro, and third-party products, Trend Micro Network One comprises a family of solutions combining Trend Micro’s Deep Discovery Inspector (DDI), TippingPoint Threat Protection System (TPS), and advanced threat protection (ATP) techniques to protect IT and OT networks.

As a physical or virtual network appliance, Trend Micro Deep Discovery Inspector monitors all north-south and east-west traffic across physical and virtual network segments, all network ports, and over 100 network protocols for complete visibility into all aspects of targeted attacks, advanced threats, and ransomware. Deep Discovery Inspector uses specialized detection engines and custom sandbox analysis to identify advanced and unknown malware, ransomware, zero-day exploits, command and control communications, and evasive attacker activities that are invisible to standard security defenses.

Deployed inline to monitor out-of-band traffic and analyze slow-moving or time-delayed attacks in real time at wire speeds with very low latency, TippingPoint TPS appliances inspect north-south and east-west traffic using various techniques—including DPI, IPS signatures, threat reputation, URL reputation, and advanced malware analysis on a flow-by-flow basis—to detect known, unknown, and undisclosed vulnerabilities. Automating the aggregation of threat data from multiple security tools, Trend Micro TippingPoint Security Management System (SMS) Threat Insights is an aggregation portal that takes events from TippingPoint TPS, sandboxing solutions, and vulnerability scanners, then displays them in one place to prioritize, automate, and consolidate network threat information, providing a common framework for evaluation and resolution.

In addition, Trend Micro Network One provides comprehensive contextual awareness and deep traffic analysis combined with Trend Micro Research and TippingPoint Digital Vaccine (DV) threat intelligence to provide increased visibility and trusted insights to withstand current and future threats. Moreover, Trend Micro’s security research team constantly develops and distributes new digital vaccine protection filters for security vulnerabilities discovered via Trend Micro’s Zero Day Initiative (ZDI), the world’s most extensive bug bounty program. Encouraging the responsible reporting of zero-day vulnerabilities, global participants identify and report previously unpatched vulnerabilities to affected vendors according to a carefully curated, collaborative process to ensure all vulnerabilities are appropriately surfaced and addressed.

Strengths: Trend Micro Network One provides network-wide visibility, tailored sandboxing, threat intelligence sharing, and other advanced features with contextual telemetry from high-risk, often invisible network segments, including unmanaged assets and shadow IT deployments, to make organizations more resilient to threats and attacks. Centralized management allows security policies and alerts from various endpoints and locations to be managed via a single console.

Challenges: Trend Micro’s portfolio is challenging to navigate, with product names, marketing material, and licensing constantly changing. In addition, customers report that licensing and maintaining the various components can be expensive and configuration challenging, making it difficult for SMBs to deploy advanced threat detection and response capabilities using Trend Micro solutions. The company promotes integration within the customer’s existing Trend Micro security product portfolio to take advantage of multiple product correlation capabilities.

Vectra AI: Vectra NDR

Founded in 2010, Vectra AI specializes in applying artificial intelligence to detect and respond to cyberattacks in real time. Optimizing AI to detect attackers’ techniques, Vectra AI provides high-fidelity threat signals and detailed contextual information, enabling cybersecurity teams to respond rapidly and prevent attacks from becoming breaches. Vectra AI’s patented Attack Signal Intelligence detects and prioritizes threats across public cloud, SaaS, identity, and networks in a single platform. Advanced AI techniques and ML-driven deep learning models expose the actual behavior and purpose of the traffic (including encrypted traffic) without depending on signatures, enabling Attack Signal Intelligence to surface covert communications, regardless of the application.

Figure 22. Vectra NDR at a Glance

Leveraging Attack Signal Intelligence to analyze network traffic collected via physical and virtual network appliances, the Vectra AI Platform (formerly Vectra Cognito) includes Vectra Network Detection and Response (NDR); Vectra Cloud Detection and Response (CDR) for AWS; Vectra Cloud Detection and Response (CDR) for M365; Vectra Identity Detection and Response (IDR) for Azure AD; Vectra Recall to query, investigate, and hunt for threats; Vectra Stream for delivering security-enriched metadata to a data lake; Vectra Match for signature ingestion; and Vectra Managed Detection and Response (MDR).

Vectra NDR automates threat detection with advanced analytics, deep learning, complex behavior analysis, and insights into attacker methods to identify potential threats from billions of data points. Security teams can pinpoint threats and attributions around attacks and malicious transactions on the network, including duplicate or asymmetric traffic and encapsulations, to automatically distinguish the accuracy of weak indicators, identify evasive and unknown patterns, and detect over 90% of MITRE ATT&CK framework tactics and techniques.

Unlike other AI/ML approaches that simply detect anomalies and require constant human tuning and maintenance, Vectra AI’s Attack Signal Intelligence uses AI/ML to correlate and triage the most critical and urgent threats specific to each unique customer environment. Reducing alert noise and surfacing only relevant actual positive events, Attack Signal Intelligence identifies, categorizes, and prioritizes actively progressing attacks, providing a context for each, establishing commonalities between events spanning accounts, hosts, network, and cloud, and determining a score to assess the criticality of each detection without requiring human involvement.

In addition, Vectra AI’s MDR offering, Vectra MDR, supplements in-house resources with a shared-responsibility model through which customers and Vectra analysts collaborate to hunt, detect, prioritize, investigate, and respond to hybrid and multi-cloud attacks.

Strengths: The Vectra AI Platform offers a rich solution with high-fidelity AI-driven Attack Signal Intelligence for hybrid and multicloud environments, going beyond anomaly detection to detect, triage, and prioritize threats based on attacker tactics, techniques, and procedures. Vectra AI’s physical and virtual sensors are easy to deploy, extending Vectra AI threat detection coverage across the physical network and into virtualized data centers to passively monitor network traffic, extract critical metadata, and forward it to Vectra AI for analysis and threat detection.

Challenges: With limited data parsing capabilities, Vectra AI must enhance its ability to pull Suricata signatures into the Vectra NDR to provide detection, triage, prioritization, and investigative context for both known (signature-based) threats and unknown (behavior-based) threats. Analyzing only metadata or basic flow information, Vectra NDR does not provide the ability to decrypt traffic or search for and reconstruct full packet capture. Customers report that a high level of technical cybersecurity knowledge is required to deploy the Vectra AI Platform.

VMware: VMware NSX Advanced Threat Prevention

Founded in 1998, VMware is an established player in the networking and security space and now offers an advanced NSX platform that embeds security into the network virtualization infrastructure. With comprehensive security capabilities to protect traffic across virtual, physical, containerized, and cloud workloads, NSX is integrated into the virtualization infrastructure, providing complete visibility into all applications and workloads. The NSX security controls reside in the hypervisor, effectively decoupling the control from the workload. Security enforcement controls are located at the virtual network interface of each workload, providing a granular mechanism to police traffic flows.

Figure 23. VMware NSX Advanced Threat Prevention at a Glance

Available as a standalone product (formerly known as NSX NDR and NSX Defender) or as an add-on to the NSX Distributed Firewall and the NSX Gateway Firewall, VMware’s NSX ATP provides network security capabilities that protect organizations against advanced threats. Combining multiple detection technologies—intrusion detection/prevention systems, network sandboxing, and network traffic analysis (NTA)—with ML-enabled aggregation, correlation, and context engines, ATP’s complementary capabilities provide a cohesive defensive layer, increasing detection fidelity, reducing false positives, and accelerating remediation while decreasing security analysts’ manual work.

Ingesting data from the NSX-licensed virtual network interface cards (vNICs) within the hypervisor or NSX gateway firewalls and sensors, ATP provides complete visibility into both north-south and east-west traffic, delivering a comprehensive overview of abnormal behavior across the network using a combination of techniques, including supervised and unsupervised machine learning, Suricata IPS signatures, a malware detection engine, and input from VMware’s global threat intelligence network, VMware Contexa. In addition, ATP extends protection to all assets in the infrastructure, including devices that do not have endpoint protection installed, such as physical servers with legacy workloads.

ATP includes advanced aggregation, correlation, and context engines to detect both known threats and new, evolving threats. The aggregation engine combines signals from individual detection technologies to reach a verdict (malicious or benign) on network activities. The correlation engine combines multiple related alerts into an intrusion campaign, while the context engine collects data from various sources (including sources outside NSX) to enrich the information provided to security analysts.

Typically deployed in IT environments with non-vSphere workloads, NSX ATP (stand-alone) provides workflows for both visualization-based and metadata-based threat hunting. Sharing low-level analysis artifacts—including malware activities—mapped to the MITRE ATT&CK framework, ATP allows SOC staff to submit objects manually via an API to the network sandbox, query threat intelligence included in VMware Contexa, and define customized analysis rules. In addition, ATP provides robust integrations with third-party SIEM and SOAR tools commonly used in SOCs.

Strengths: VMware NSX Advanced Threat Prevention combines multiple detection technologies with ML-enabled aggregation, correlation, and context engines with built-in features—such as microsegmentation—to protect organizations against advanced threats. For clients heavily invested in running their workloads on VMware hypervisors, deploying ATP is an efficient way to ingest network data because NSX does not require hardware sensors. Ingested traffic can be analyzed either on-premises or in the cloud, with JA3 signatures, TLS decryption, and proprietary analysis techniques used to analyze encrypted traffic.

Challenges: While ATP can be deployed as a standalone solution in non-vSphere environments, it is primarily designed to work with VMware’s product portfolio, including NSX Distributed Firewall and the NSX Gateway Firewall. NSX supports only the VMware ESXi and open-source KVM hypervisors. VMware must improve the out-of-the-box integration capabilities with public cloud services and third-party security platforms. Customers report that, while worth the effort, NSX is very complex and challenging to deploy and configure, with a steep learning curve.

6. Analyst’s Take

In today’s dynamic business landscape, organizations face the challenge of managing complex IT environments and expanding attack surfaces. Fortifying their defenses with a robust cyber architecture requires deploying a dependable network detection and response solution. NDR plays a pivotal role in identifying suspicious activities and malicious entities while enabling a swift response to threats. By continuously scrutinizing network traffic, NDR tools construct models of “normal” behavior within enterprise networks, enabling the detection of anomalous traffic and timely alerts.

However, the congested NDR landscape demands that organizations carefully evaluate their security requirements in light of the following choices before choosing an NDR solution:

  • DPI versus metadata analysis: Traditional NDR solutions rely on DPI-based technologies offering comprehensive analysis but cannot analyze encrypted packet payloads without applying sophisticated data science techniques. Metadata analysis—supplemented by application and system logs—provides contextual information without inspecting individual packets, increasing visibility into vulnerabilities such as shadow IT devices.
  • Single versus multiple detection techniques: Some NDR solutions rely on one mode of identification (such as signature-based or anomaly-based detection) but fail to detect new, unknown threats or generate false positives when unusual but legitimate network activities occur. Multiple detection techniques combine different methods to comprehensively examine network behavior, offering a more holistic and robust detection system.
  • Automated versus autonomous versus manual response mechanisms: Automated responses—powered by pre-defined advanced machine learning algorithms—offer rapid response times and scalability and are particularly effective for addressing common threats and large-scale environments. Most effective for containing in-progress attacks, autonomous response mechanisms make suggestions or take action based on the context of the incident without having to predefine every scenario or rely on human intervention. Manual responses, on the other hand, provide greater precision and control and are particularly suited for complex and ambiguous threat situations that require nuanced understanding and decision-making.
  • SIEM, SOAR, and other integrations: Deciding on the correct integration choices for alerts in NDR solutions can dramatically increase their effectiveness in detecting and responding to security incidents. Options include integrating with a SIEM (correlating and analyzing alerts from multiple sources to provide a holistic view of network security), SOAR (automating responses to security incidents), or threat intelligence platforms to enrich alert data with external threat context.

As you explore your NDR options, use this report and the corresponding GigaOm report “Key Criteria for Evaluating NDR Solutions” to evaluate your current and future needs before creating a shortlist of vendors supporting your chosen analysis methods, detection techniques, response mechanisms, and integrations. In a rapidly evolving—and crowded—vendor landscape with the emergence of new entrants and exciting innovation, don’t just settle for your incumbent vendor’s solution. Instead, explore all your options before creating a shortlist based on features, integration, as-a-service capabilities, and your in-house skills. When talking to vendors, ensure that their vision is aligned with yours and that their roadmap includes the features and capabilities your business demands.

7. Methodology

For more information about our research process for Key Criteria and Radar reports, please visit our Methodology.

8. About Ivan McPhee

Formerly an enterprise architect and management consultant focused on accelerating time-to-value by implementing emerging technologies and cost optimization strategies, Ivan has over 20 years’ experience working with some of the world’s leading Fortune 500 high-tech companies crafting strategy, positioning, messaging, and premium content. His client list includes 3D Systems, Accenture, Aruba, AWS, Bespin Global, Capgemini, CSC, Citrix, DXC Technology, Fujitsu, HP, HPE, Infosys, Innso, Intel, Intelligent Waves, Kalray, Microsoft, Oracle, Palette Software, Red Hat, Region Authority Corp, SafetyCulture, SAP, SentinelOne, SUSE, TE Connectivity, and VMware.

An avid researcher with a wide breadth of international expertise and experience, Ivan works closely with technology startups and enterprises across the world to help transform and position great ideas to drive engagement and increase revenue.

9. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

10. Copyright

© Knowingly, Inc. 2023 "GigaOm Radar for Network Detection and Response (NDR)" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.